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FOREWORD 


This Indian Standard (Part 3) was adopted by the Bureau of Indian Standards, after the draft finalized by 
Information Systems Security and Privacy Sectional committee had been approved by the Electronics and 
Information Technology Divisional council. 


There is no ISO/IEC Standard on this subject. 
This standard is one of the series of Indian Standards on Mobile device security. Other parts in this series are: 
Part 1 Overview 
Part 2 Security reguirements 
Part 4 Assessment and evaluation 
As mobile based services especially, financial services are gaining popularity, focus on the security of data and 
content on mobile devices is obvious. Mobile devices need additional protection because their extensive mobility 
(portability) and always on connectivity (generally using untrusted public network) places them at higher exposure 


to threats than other client devices such as desktop and laptop devices which are normally used only within the 
organization’s facilities and on the organization’s networks. 


It requires a totally different approach and strategy to address security of mobile devices as compared to normal 
computerbased systems andapplications. Mobile devicesusesmobileecosystem thatinvolves various subsystems and 
components to provide an environment to enable the operations and connectivity of mobile devices and information 
systems. Therefore, security of mobile needs to be addressed at different layers (subsystems and components) 
of the mobile ecosystem covering mobile device technology stack (including firmware, embedded components, 
operating system, pre-installed applications like mobile browser, device management software agent, VPN Client, 
Email Client, etc.), third party mobile applications, networks and communication interfaces (including cellular, 
Wi-Fi, Bluetooth, NFC), mobile infrastructure (including mobile App store and services) and enterprise mobile 
support/monitoring services (enterprise mobility management [EMM]/device management software and Mobile 
Application Management [MAM]|). All these components of the mobile ecosystem shall be considered for defining 
and assessing the security of mobile devices to meet the common security objectives- confidentiality, integrity and 
availability 


This series of standards is applicable to the following: 
a) Organizations designing, developing, and manufacturing mobile devices, 
b) Customers seeking confidence in the security of mobile devices used by them, 
c) Organizations seeking confidence in the security of mobile devices used by them, and 
d) Organizations performing security assessment of mobile devices. 
In the formulation of this standard, assistance has been derived from the following document: 


NIST Special Publication 1800-4b (Draft) — Mobile Device Security, Approach, Architecture, and Security 
Characteristics Cloud and Hybrid Builds. 


The composition of the Committee, responsible for the formulation of this standard is given at Annex A. 
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0 INTRODUCTION 


Mobile devices for personal and enterprise use are used for various purposes and applications, which may require 
different degree of security assurance. In order to do this, different levels of security and corresponding security 
requirements based on the criticality of operations being performed and data being handled by mobile device need 
to be defined. 
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Indian Standard 


MOBILE DEVICE SECURITY 
PART 3 SECURITY LEVELS 


1 SCOPE 


This Standard (Part 3) defines security levels, the 
security requirements and applicability of these 
security levels for security assessment, evaluation and 


certification of mobile devices. 


2 REFERENCES 


The standards/documents given below 


provisions, which through reference in this text 
constitute provisions of this standard. At the time of 
publication, the editions indicated were valid. All 
standards/documents are subject to revision, and parties 
to agreement based on this standard are encouraged to 
investigate the possibility of applying the most recent 


editions of the standards listed as follows: 


IS No. Title 


17737 (Part 1) : 


2021 Overview 
17737 (Part 2) : Mobile device security: Part 2 
2021 Security requirements 
3 TERMINOLOGY 


For the purpose of this standard (Part 3) the definitions 


given in IS 17737 (Part 1) shall apply. 


Mobile device security: Part 1 


4 MOBILE DEVICE SECURITY LEVELS 


There are 2 levels of security defined for mobile device. 
These levels are as follows: 


a) Security level 1— Baseline security, and 
b) Security level 2 — Comprehensive security. 


4.1 Security Level 1: Baseline Security 


contains : Ae ni : R 
4.1.1 Baseline security is minimum security required to 


provide adequate confidence to the user that mobile OS 
security requirements, mobile pre-installed application 
security requirements, and limited mobile device 
security control requirements have been implemented 
to ensure confidentiality, integrity and availability of 
user data. It covers: 


a) Mobile OS security requirements as given in 6.4.1 
of Part 2 of this standard, 


b) Mobile pre-installed application security 
requirements as given in 6.4.2 of Part 2 of this 
standard; and 


c) Limited mobile device security control 


requirements as given in Table 1. 


4.1.2 Components of mobile device technology stack 
related to baseline security are mobile operating 
system, pre-installed applications, mobile hardware 
and firmware. 


Table 1 Limited Mobile Device Security Control Requirements for Security Level 1 


Security Characteristics 


( Clause 4.1.3 ) 


Security Controls 


a) Device protection (Device integrity) 1) 
2) 
3) 
b) Data protection 1) 
2) 
c) Data isolation 1) 
d) Identity and authorization 1) 
2) 
e) Monitoring 1) 
f) Privacy protection 1) 


N 
— 


Application black/whitelisting, 
Application verification, 

Verified application and OS updates. 
Protected storage: 

i) Device encryption, 

ii) Remote wipe. 

Protected communications: 

i) Virtual private network (VPN) 
Device resource management 

Local user authentication to applications, 
Local user authentication to device. 
Root and jailbreak detection 
Informed consent of user, 


Privacy notification provided to user. 


3 
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4.1.3 Security characteristics related to baseline 
security are device protection, data protection, data 
isolation, identity and authorization, monitoring and 
privacy protection. Security characteristics and security 
control requirements for security level 1 are given in 
Table 1. 


4.2 Security Level 2: Comprehensive Security 


4.2.1 Comprehensive security is advanced level of 
security to provide high degree of confidence to the user 
that security requirements at each layer of mobile device 
technology stack have been implemented for protecting 
sensitive information to ensure confidentiality, integrity 
and availability of user data. It covers: 


a) Mobile OS security requirements as given in 6.4.1 
of Part 2 of this standard, 


b) Mobile pre-installed application security 
requirements as given in 6.4.2 of Part 2 of this 
standard; and 


c) Mobile device security control requirements as 
given in Table 2. 


Security level 2 adds additional security control 
requirements at device hardware and firmware layer, 
resulting in resilience against more sophisticated 
attacks, assuming the security controls of level 1 are 
intact and the end user is not viewed as a potential 
adversary. 


4.2.2 Components of mobile device technology stack 
related to comprehensive security are mobile operating 
system, pre-installed applications, mobile hardware 
and firmware. 


4.2.3 Security characteristics related to comprehensive 
security are device protection, data protection, data 


isolation, identity and authorization, monitoring 
and privacy protection. Security Characteristics and 
Security control requirements for security level 2 are 
given in Table 2. 


5 APPLICABILITY OF LEVELS 


5.1 Security Level 1 


Security level 1 addresses minimum security 
requirements and is recommended for all mobile 
devices for personal use. 


5.2 Security Level 2 


Security level 2 is recommended for mobile devices for 
enterprise use and personal use. 


Security level 2 has additional security requirements 
over and above the security requirements of security 
level 1. A mobile device which is already assessed and 
certified for security level 1 and is to be assessed for 
security level 2, that device shall meet all the security 
requirements including level 1 security requirements. 


Implementing the requirements of security level 2 
increases security, while at the same time increasing 
cost of development. In general, security level 2 is 
recommended for mobile device whenever it makes 
sense from a risk versus cost perspective (that is, 
where the potential loss caused by a compromise 
confidentiality or integrity is higher than the cost 
incurred by the additional security). 


5.3 The applicability of security levels with respect to 
the mobile device use case scenario (please see 4.1 of 
Part 2 of this Standard) are as given in Table 3. 
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Table 2 Mobile Device Security Control Requirements for Security Level 2 
( Clause 4.2.3 ) 


Security Characteristics Security Controls 


a) Device protection (device integrity) 1) Baseband integrity checks, 
2) Application black/whitelisting, 
3) Device integrity checks: 
1) Boot validation, 
4) Application verification, and 
5) Verified application and OS updates. 
b) Data protection 1) Protected storage: 
i) Device encryption, 
ii) Secure containers, 
iii) Trusted key storage, and 
iv) Remote wipe. 
2) Protected communications: 
i) Virtual private network (VPN), and 
ii To include per-App VPN. 
3) Data protection in process: 
i) Encrypted memory, and 
ii) Trusted execution environment. 
c) Data isolation 1) Sandboxing, 
2) Memory Isolation, 
3) Trusted execution environment, 
4) Device resource management, and 
5) Baseband isolation. 
d) Identity and authorization 1) Local user authentication to applications, 
2) Local user authentication to device, 
3) Remote user authentication, and 
4) Credential and token storage and use. 
e) Monitoring 1) Auditing and logging, and 
2) Root and jailbreak detection. 
f) Privacy protection 1) Informed consent of user, and 


2) Privacy notification provided to user. 


Table 3 Applicability of Security Levels 
( Clause 5.3 ) 


Use Case Scenario Applicable Security Level 


Use Case-1: Mobile device for personal use Security Level 1: Baseline security 


Use Case-2: Mobile device for enterprise use and personal use Security Level 2: Comprehensive security (With all security controls 
applicable) 
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( Foreword ) 


COMMITTEE COMPOSITION 
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Organization 
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SHRI SANJEEV CHHABRA 
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SHRI RAJESH SHARMA 
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PROF ANIL PRABHAKAR 
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Dr V. K. KANHERE 
Ms SUSHILA MADAN 


SHRI N. SATHYAN 
SHRI TIRUMALA Rao K. (Alternate) 


SHRI S. K. NEHRA 
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DR SOMNATH CHANDRA (Alternate III) 
SHRI TARUN PANDEY (Alternate IV) 


SHRI SUJIT BANERJEE 
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SHRI KISHOR N. NARANG 


SHRI A. S. BHATNAGAR 
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SHRI SATEESH PALAGIRI (Alternate) 
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Organization 


Patanjali Associates Private Limited, New Delhi 
Qualcomm India Private Limited, Bengaluru 


Reserve Bank Information Technology Private 
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Smart Chip Private Limited, Noida 


Standardization Testing and Quality Certification 
(STQC) 


Tata Consultancy Services Limited, Mumbai 
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The Perspective, New Delhi 

WYSE Biometrics System Private Limited, Pune 
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